Botnets at the Gate: Stopping Botnets and DDoS Attacks

Botnets have infiltrated millions of users' computers and wrecked incalculable damage. This white paper lifts the veil on botnets and on the cyber-criminals behind them. It analyzes the history,
…

Botnets have infiltrated millions of users' computers and wrecked incalculable damage. This white paper lifts the veil on botnets and on the cyber-criminals behind them. It analyzes the history, growth, and economics behind botnets. It then investigates one of the most common attacks executed by botnets: the Distributed Denial of Service (DDoS) attack.

Transcript

1.
White Paper Botnets at the Gate: Stopping Botnets and Distributed Denial of Service Attacks Over the past several years, botnets like BlackEnergy, Illusion, Pushdo, and Zeus have dominated news headlines. They have infiltrated millions of users’ computers and wrecked incalculable damage – unleashing powerful Denial of Service attacks, exposing national security secrets, and compromising individual victims’ credit card numbers and bank account credentials. Virtually all online users have been affected by botnets, either as hapless recipients of spam email or as frustrated users attempting to visit an unavailable Website. However, millions of users have suffered a much worse fate, recruited unknowingly into a botnet army. The numbers are staggering. The Bredolab botnet alone had infected over 30 million computers and sent an estimated 3.6 billion virus-laden emails every day in late 2009.1 As of early December 2010, over 5,400 botnet command and control servers were identified and active.2 This paper attempts to lift the veil on botnets and the cyber-criminals behind them. It analyzes the history, growth, and economics behind botnets. It then investigates one of the most common attacks executed by botnets: the Distributed Denial of Service (DDoS) attack. To help combat automated attacks, this paper proposes a number of security measures that include processes, technologies, and services. While organizations must heed the growing specter of botnets, there are a number of tools at their disposal that can mitigate botnet security threats. 1 “Dutch National Crime Squad announces takedown of dangerous botnet,” October 25, 2010, OpenBaar Ministerie 2 Shadowserver Foundation

2.
Botnets at the Gate IntroductionDatabaseFileWeb Millions of computers around the world are controlled by cybercriminals. These computers have been infected with software robots, or “bots”, that automatically connect to command and control servers. The command and control servers then instruct the bots to carry out illicit activity, such as performing denial of service attacks or harvesting application content. Building these networks of bots, or botnets, has become a lucrative business for botnet operators, who rent out their bots to the highest bidder. But before examining the botnet business model, we will investigate how they are formed. Botnet Propagation Botnet operators, also known as “bot farmers,” use a variety of different methods to build their networks of bots. Common methods include email viruses, Internet worms, drive-by downloads of malware, Trojans distributed on portable storage devices, and more. As a case in point, a sweeping report about the Koobface botnet3 reveals how its architects infected more than 2.9 million computers. The Koobface operators used social networking tactics on the world’s leading social network platforms – Facebook, Twitter, and MySpace – to spread the botnet malware.4 Koobface primarily targeted Facebook. Its main means of propagation was through fraudulent Facebook messages that enticed recipients to watch a video, such as an embarrassing video captured by a hidden camera. Once users clicked on an embedded link in the message, they would be taken to a compromised site hosting the malware. Then, when users tried to view the video, they would be instructed to update their Adobe Flash Player or download a new codec. Figure 1: A Christmas variant of a Koobface malware-hosted Web page5 3 “Koobface: Inside a Crimeware Network,” November 2010, Information Warfare Monitor 4 Affected sites also included Bebo, Friendster, Fubar, Hi5, Live Journal Netlog, Tagged, and Yearbook 5 “Koobface botnet enters the Xmas season,” Zero Day blog Imperva White Paper < 2 >

3.
Botnets at the Gate If users agreed to install the fake update, they would unwittingly download the Koobface malware. Then whenDatabaseFileWeb these users logged into their Facebook accounts, the Koobface malware would send malicious messages to a new host of victims. In contrast, BredoLab, the largest known botnet to date, relied on email messages with malware attachments to compromise computers. When these attachments were opened by users, the malware would infect the users’ computers, turning them into zombies. While email was the main form of distribution, BredoLab’s operators also used drive-by downloads, downloading malware to users’ computers without the users’ knowledge. The techniques used to propagate Koobface and BredoLab are typical of the entire botnet industry: viruses, worms, and Trojans spread through application and system vulnerabilities or social engineering tactics. Botnet Communications After computers have been compromised with a botnet agent, the agents will automatically connect to botnet command and control servers. Bots have traditionally communicated with these servers using Internet Relay Chat (IRC), a real-time chat and instant messaging protocol. While botnets are synonymous with IRC, botnet operators are increasingly turning to Web-based communications because they are easier to set up and harder to detect. Web-based botnet kits often include user-friendly Web user interfaces, simplifying management. Today, botnet operators are even turning social networking sites into command and control channels, disseminating attack instructions through Twitter or Facebook accounts. In fact, recent research indicates that Web-based botnets now outnumber traditional IRC botnets by a factor of five.6 While IRC botnets are by no means dead, this shift illustrates the rapid evolution of botnet architectures as botnet operators attempt to stay ahead of authorities and ahead of one another. Botnet Development Botnet development also has evolved; instead of lone hackers laboring to develop botnet command and control servers, botnet operators increasingly rely on off-the-shelf botnet toolkits. Criminals with little to no programming experience can obtain kits such as BlackEnergy or Butterfly for as little as $700, make a few minor modifications, and then distribute their bot agents through online forums and Bit Torrents. Many of these botnet toolkits today even include graphical user interfaces, dashboards, and report statistics. Figure 2: A command and control interface for the Zeus botnet 6 “The Death of the IRC Botnet,” eSecurity Planet, November 18, 2010 Imperva White Paper < 3 >

4.
Botnets at the Gate The Imperva Application Defense Center (ADC) discovered an off-the-shelf hacking toolkit that exemplifiesDatabaseFileWeb today’s crimeware trends.7 While it was a phishing toolkit, it shares many similarities with current botnet toolkits. The toolkit offers a simple GUI dashboard and provides “cloud storage” for stolen credentials – completely automating all aspects of the criminal campaign. The credentials are ostensibly stored in a location that can only be accessed by the individual toolkit user. However, unbeknownst to toolkit users, the toolkit creator created a backdoor that provided full access to all of the stolen credentials. The toolkit has purportedly been downloaded over 200,000 times, providing the creator with countless user names and passwords. This toolkit illustrates today’s trends to automate cybercrime. And although this toolkit was distributed for free, it shows the profits that hackers can reap by developing off-the-shelf hacking tools. Botnet toolkits help build the botnet infrastructure – the botnet command and control servers. In addition, botnet development also includes the malware that infects computers and transforms them into zombies. And like botnet toolkits, a slew of malware toolkits have emerged to service the needs of botnet operators. To increase infection rates, malware developers must check that their malware won’t be detected by computer anti-virus software. Many malware scanning portals have sprung up to simplify this process. Malware scanning portals allow malware developers to test their malware against anti-virus software. For example, one commercial malware QA service, Virtest.com, allows malware developers to test their malware against 26 anti- virus engines. Sites like Virtest.com exemplify the “Industrialization of Hacking” that has transformed hacking into an efficient, scalable, and profitable enterprise. Figure 3: Malware scanning portal Virtest.com 7 For more information, see “An Inside Look at Hacker Business Models,” Noa Bar-Yosef, Security Week, October 19, 2010. Imperva White Paper < 4 >

5.
Botnets at the Gate The Economics of BotnetsDatabaseFileWeb Botnet ownership can be even more lucrative than botnet development. Botnets are a key component of the overall hacking “industry,” an industry estimated to garner $1 trillion per year.8 Botnet operators have multiple ways to capitalize on their botnet armies; perpetrating pay-per-click fraud and renting out botnets for distributed attacks are just two examples. The Koobface botnet owners netted over $2 million dollars in less than twelve months using pay-per-click and pay-per-install schemes.9 For operators renting out their botnets, the primary value of a botnet is its size. However, other factors can impact the money-making capabilities of a botnet, including the type of attack to be carried out, the target, and its geographic location. According to Imperva research, renting a botnet to spam one million emails ranges in cost from $150 to $200. A 24-hour DDoS attack can range from $50 to several thousand dollars for larger attacks. With so much money to be made, it is not surprising that botnets are increasing in size, number, and sophistication every year. Botnets as Weapons So far, this paper has profiled the spread, communications, development, and financial business model of botnets. However, the major concern for most organizations is the damage that can be wrought by botnets. Botnets can be used as instruments to carry out any number of malicious activities; sending spam email, logging keystrokes to capture online user credentials, scanning computer files for sensitive data, pay-per-click fraud, and distributed password cracking are just a few examples. One of the most dangerous botnet threat is the DDoS attack. Harnessing the aggregate power of thousands or tens of thousands of bots, DDoS attacks can inflict tremendous damage on Websites, slowing down or even completely disabling them. And DDoS attacks are not isolated, but a regular issue for many organizations. According to a recent survey of IT decision makers, 74% reported suffering one or more DDoS attacks in the past 12 months. Of these, 31% said that the attacks disrupted service.10 Whether the motivation is political, financial or just random, DDoS attacks can be extraordinarily costly for the targeted organizations. The Imperva ADC has tracked numerous application DDoS attacks conducted through botnets. They have also investigated underground forums and hacker sites to uncover new DDoS attack methods. Based on this research, this paper will examine application DDoS attacks and recommend mitigation techniques. 8 “Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet,” Joseph Menn, 2010 9 “Koobface: Inside a Crimeware Network,” November 2010, Information Warfare Monitor 10 “The Trends and Changing Landscape of DDoS Threats and Protection,” Forrester Imperva White Paper < 5 >

6.
Botnets at the Gate Application DDoSDatabaseFileWeb A Distributed Denial of Service (DDoS) attack is an attack initiated from multiple machines that is designed to disrupt normal operations. Traditional Denial of Service (DoS) attacks attempt to exploit server or application weaknesses to cause it to stop responding. DDoS attacks amplify the effects of DoS attacks by using thousands of machines to launch their assaults. These new attacks may not necessarily exploit vulnerabilities, they may just unleash a flood of requests, overwhelming the bandwidth and server processing power of the targeted site. The End Game for DDoS DDoS attacks have targeted a diverse range of organizations, from government institutions and banks, to social networking companies and even root name server operators. The motivations for DDoS attacks vary: financial, political, religious, entertainment, or even personal notoriety. Many organized cyber criminals use DDoS to extort money from online sites. Authorities convicted a Russian gang of blackmailing over 50 organizations, extracting over $4 million from British companies, typically online gambling sites.11 In 2008, a wave of DDoS attacks brought down 10 online gambling sites, also purportedly targets of extortion schemes. Hacktivism is another key motivation for DDoS attacks. Whether driven by national patriotism or the desire to squelch the opinions of an ideological foe, DDoS is the weapon on choice. Examples of hacktivism in action include DDoS attacks targeting Georgian Websites before the Ossetia War in 2008 and the Iranian government’s Website during the 2009 Iranian election protests. Government Websites representing the US, Korea, Myanmar, Estonia, and many others have been targeted. In fact, a persistent DDoS attack on Burmese Websites during the Burma’s 2010 national elections actually caused the entire country’s Internet connectivity to go down. More recently, WikiLeaks has found itself in the center of a DDoS hacktivism war. Hacktivists attacked the MasterCard, Visa and PayPal Websites in retaliation after these companies stopped processing donations to WikiLeaks. DDoS Botnets-for-Hire While the WikiLeaks-inspired “Operation Payback” attack used a combination of voluntary hackers and bots, almost all DDoS attacks are executed by criminal botnet services. DDoS rental fees typically start at $50 for small attacks, but some researchers have seen DDoS prices as low as $9. To attract customers, botnet owners advertise their services, continually seeking to outclass their botnet brethren. Owners promote their services in underground forums and mailing lists. In the case of the powerful IMDDOS botnet, the owners actually set up a public Website to showcase their offering.12 On a message board, one botnet operator touted that his botnet offered “the best combination of quality and service” and special pricing for regular customers. Options included HTTP attacks, downloading flood, POST flood, and ping commands “tuned to perfection.”13 Like slick advertising executives, botnet operators and even bot malware creators promote their offerings with carefully fine-tuned messaging. DDoS 2.0 DDoS attacks traditionally are carried out by computer-based bots. The Imperva ADC uncovered a new breed of DDoS attacks in May 2010 that uses Web servers as payload-carrying bots. Imperva discovered a 300-server strong botnet that set a new standard for power, efficiency and stealth. Using a basic software program equipped with a dashboard and control panel, hackers could configure the IP, port, and duration of the attack. Hackers simply need to type the Website URL they wish to attack and then they can instantly disable targeted sites. 11 “Online Russian blackmail gang jailed for extorting $4m from gambling websites”, http://www.sophos.com/pressoffice/news/articles/2006/10/extort-ddos-blackmail.html 12 “Damballa Discovers New Wide-Spread Global Botnet Offering Commercial DDoS Services,” Damballa, September 2010 13 “BlackEnergy competitor – The ‘Darkness’ DDoS Bot,” Shadowserver calendar entry for December 5, 2010 Imperva White Paper < 6 >

7.
Botnets at the GateDatabaseFileWeb Figure 4: The user interface for managing DDoS attacks from Web servers. A single Web server could unleash the same damage as fifty or more PCs. With such powerful attack weapons at their command, it is not surprising that DDoS rental services keep increasing the strength of their attacks. The largest observed DDoS attack reached an all-time high of 49 Gbps in 2009.14 Advanced Application DDoS Attacks Many organizations witnessed an increase in application-based attacks in 2009 compared to previous years. While application-based attacks still only account for 26% of all DDoS attacks,14 they are more sophisticated and much more challenging to stop. There are several reasons why application-based attacks are the most dangerous type of DDoS. Network firewalls today can detect the majority of flood and network DoS attacks. Many ICMP and UDP flood attacks can also be identified using intelligent packet filtering and source and destination access control lists. However, application DDoS attacks usually bypass most traditional network security devices. Application DDoS exploit vulnerabilities in application servers or application business logic. For example, application DDoS attacks may simply flood a Web application server with seemingly legitimate requests designed to overwhelm Web application servers. An attacker may also attempt to exploit an application vulnerability, such as sending Web requests with extremely long URLs. More sophisticated attacks exploit business logic flaws. For example, if an application’s Website search mechanism is poorly written, it could require excessive processing by a back end database server. An application DDoS attack could exploit this vulnerability by performing thousands of search requests using wildcard search terms to overwhelm the back end application database. “Slowloris” emerged as a perilous application DDoS attack in 2009. This attack disrupts application service by exhausting web server connections. In the Slowloris attack, the attacker sends an incomplete HTTP header and then periodically sends header lines to keep the connection alive, but never sends the full header. Without requiring that much bandwidth, an attacker can open numerous connections and overwhelm the targeted Web server. While multiple patches have been created for Apache to mitigate this vulnerability, it nonetheless demonstrates the power of more sophisticated DDoS attacks. 14 “Worldwide Infrastructure Security Report,” Arbor Networks, Volume V. Imperva White Paper < 7 >

8.
Botnets at the Gate Application DDoS Mitigation TechniquesDatabaseFileWeb There are a number of measures that organizations can undertake to mitigate the risks of a DDoS attack. Organizations with mission-critical Web applications can: » Over-provision bandwidth to absorb DDoS bandwidth peaks – Although this is one of the most common measures to alleviate DDoS attacks, it is also probably the most expensive. Allocating extra bandwidth can be an effective way to manage small-scale DDoS attacks, but it won’t solve advanced application attacks that target application vulnerabilities and flaws. » Implement black hole routing – When an attack occurs, the victim can work in conjunction with its ISP(s) to re-route DDoS traffic. There are two types of black hole routing: source-based and destination- based. With source based black hole routing, a null route is created to discard traffic from known malicious sources. This is effective if the DDoS attack is coming from a limited number of users. With destination-based black hole routing, the attack target is null routed, basically taking the Website offline. Obviously, this is a solution for ISPs and not for DDoS victims. » Secure Application and Server Management – If organizations’ development teams follow secure application coding best practices, they can prevent many buffer overflow attacks. In addition, system administrators should harden systems, apply the latest patches, and configure the Web server to close idle connections. » Apply application-level controls – Because application DDoS attacks mimic regular Web application traffic, they can be difficult to detect through typical network DDoS techniques. However, using a combination of application-level controls and anomaly detection, organizations can identify and stop malicious traffic. Measures include: • Detecting an excessive number of requests from a single source or user session – Automated attack sources almost always request Web pages more rapidly than standard users. • Recognizing known attack sources, such as malicious IP addresses, anonymous proxies and TOR networks. Known attack sources account for a large percentage of all DDoS attacks. Because malicious sources constantly change, organizations should have an up-to-date list of active attack sources. • Identifying known bot agents – DDoS attacks are almost always performed by an automated client. Many of these client or bot agents have unique characteristics that differentiate them from regular Web browser agents. Tools that recognize bot agents can immediately stop many types of DDoS sources. • Implementing CAPTCHAs to block automated clients – CAPTCHAs can hinder automated DDoS attacks. However, bots are increasingly finding ways to circumvent CAPTCHAs. Up to 60 percent of bots can crash through CAPTCHAs, according to recent security research.15 Nevertheless, CAPTCHAs are still an effective defense against application DDoS attacks. • Distinguishing attributes, and aftermath, of a malicious request – Some DDoS attacks can be detected through known attack patterns or signatures. In addition, many malicious Web requests do not conform to HTTP protocol standards. For instance, the Slowloris DDoS attack included redundant HTTP headers. In addition, DDoS clients may request Web pages that do not exist. Attacks may also generate Web server errors or slow Web server response time. The aforementioned techniques are just a few of the measures that organizations can undertake to combat DDoS attacks. They should be combined with processes, such as developing an internal rapid response team that can quickly and adeptly analyze and address DDoS attacks. If organizations undertake effective security measures, they will be well equipped to fight application DDoS attacks. 15 “Botnets Target Websites with ‘Posers’,” Dark Reading, June 1, 2010. Imperva White Paper < 8 >

9.
Botnets at the Gate A Practical Approach to Mitigate Botnet and DDoS ThreatsDatabaseFileWeb Botnets have become enemy number one for most IT security departments. They are responsible for virtually every large-scale, distributed attack today, including spam email, phishing attacks, and screen scraping. Botnets also carry out automated Distributed Denial of Service (DDoS) attacks so powerful that they have brought down Twitter, Facebook, Yahoo, and Google. And almost three quarters of all organizations have suffered from a DDoS attack in the past twelve months. Detecting and mitigating botnet threats requires multiple tools and processes. One layer of defense is a Web Application Firewall (WAF). A WAF can monitor application activity for unusual activity, detect unexpected spikes in bandwidth, and block offending packets. With advanced Web application intelligence, a WAF can detect botnet activity and distinguish between legitimate Web traffic and attacks. The Imperva SecureSphere Web Application Firewall provides organizations with an ironclad defense against botnet threats and application DDoS attacks. SecureSphere offers unique detection techniques that can identify and stop automated attacks like DDoS. In addition, SecureSphere offers flexible customization, allowing organizations to fine tune security rules based on application-specific requirements. SecureSphere Protection against Application DDoS Imperva SecureSphere offers multiple layers of protection to identify botnet threats like application DDoS attacks. The SecureSphere fortifies Web applications using: » Automatic learning of applications and user behavior – Imperva’s patented Dynamic Profiling technology learns the structure and elements of protected Web applications. In addition, it profiles user interaction with the application. This allows SecureSphere to detect unusually long form field values, parameter tampering and session abuse. It also allows SecureSphere to identify requests to Web pages that do not exist, abnormal traffic flows and other atypical behavior. Most application DDoS attacks will generate profile violations that can be used alone or in conjunction with other identifiers to stop the attacks. » Protection against automated attacks through ThreatRadar – Imperva’s industry-first reputation- based security service recognizes known attack sources, such as malicious IPs, anonymous proxies, and TOR networks. ThreatRadar receives near real-time feeds of known bad users from global defense research organizations. These feeds are not just lists of known bots, but bots that are currently active and perpetrating attacks. With ThreatRadar, SecureSphere can stop a large percentage of malicious users even before they can execute an attack. » Bot agent detection – Bots are automated clients. They typically do not access Web sites using a standard Web agent, like Firefox or Internet Explorer. Instead, they use scripts or unique botnet browser agents. SecureSphere can identify and stop hundreds of the most common bot agents. In addition, SecureSphere can recognize unique characteristics of traffic activity indicative of botnet zombies. » HTTP protocol validation – SecureSphere detects traffic that does not conform to the HTTP RFC standard. This protocol validation quickly uncovers a significant portion of application DDoS attacks, buffer overflow attempts and evasion techniques. » Up-to-date Web attack signatures – SecureSphere identifies many known application DDoS attacks, including attacks to IIS, Apache, PHP, and Coldfusion, through attack signatures. Driven by research from the Imperva ADC, SecureSphere’s attack signatures offer comprehensive protection against the latest threats. Imperva White Paper < 9 >

10.
Botnets at the Gate » Application error and response analysis – One of the main indicators of DDoS attacks is WebDatabaseFileWeb application errors and slow response times. SecureSphere can inspect outbound Web responses for error codes or code leakage. It can also monitor Web page response times, pinpointing requests that required excessive application processing. » Custom security rules – SecureSphere offers flexible policy configuration, enabling organizations to build security rules based on over two dozen match criteria. Security administrators can, for instance, block an attack if it observes many requests from a single IP address over a period of time and the requests generate application errors. SecureSphere can block the individual request or block the IP address, session, or user for a period of time. Figure 5: Configuring a custom security policy in SecureSphere » Real-time monitoring and analytics – For current analysis of attack trends, SecureSphere offers detailed security alerts. The alerts identify the source address, time of day, type and severity of the alert, the entire Web request, and a quick link to the policy that triggered the violation. In addition SecureSphere tracks the Web server response code and optionally the entire response for forensics investigations. Clear, comprehensive alerts provide IT security administrators instant visibility into DDoS attack sources. Imperva White Paper < 10 >